Spyware for Firefox Coming This Year?

EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."

Re:Duh.

[numbski]

FUD.

FreeBSD, Linux, and MacOS X would still be a less vulnerable target. Worst cast scenario, delete ~/.mozilla/firefox (~/Library/Application Data/Firefox), start over.

The reason Windows is such a mess is that there's no 'easy' way to clean up the mess. You could wipe out the user's entire home directory on Windows and still be screwed. On a *nix based system, wiping out the home directory would usually fix you right up.

I've already seen some...

[eno2001]

...being a 100% full time user of Firefox, I was surprised to find a site in a random web search a week or two ago that actually got a pop-up window going, but also appeared to attempt to execute some code as Firefox popped open a dialog asking me what I wanted to do with the file that was being downloaded. Thankfully, I have it ask me what I want to do, but if I was a typical user, I would have already associated the *.DOT file with MS Word and god knows what would have happened. Keep in mind that I didn't actually click on any links that indicated a download, I only clicked on a Google search result which took me to a site that displayed a blank screen and then the pop-up. I have to wonder what would have happened if I had associated OpenOffice.org with the *.DOT file since I run Linux. Probably not much... but it definitely indicates that Firefox will be targetted. The real question is: will the Mozilla project be able to keep up any better than MS has with IE? I'm guessing that they will.

Re:...and....

[arkanes]

Current versions of firefox don't allow this, unlike the (annoyingly easy to mis-click) ActiveX install dialog in IE. There's a whitelist for sites permitted to install extensions, which (by default) is limited to the offical Mozilla update site. Sites not in the whitelist won't even get a dialog, instead a yellow bar at the top of the screen appears, with a button you can use to access the whitelist and add the site. A site on the whitelist gets the standard dialog, which has a time-delay OK button to help prevent mis-clicks. There's no absolute way to prevent people from installing malicious extensions, but (assuming there's no bugs in, say, the whitelist implementation) Firefoxes current model is about as good as you could get.

Note that older versions of Firefox (and Mozilla) don't have the whitelist, and even older ones don't even have the dialog and are in fact vulnerable.

Re:IE and Firefox have different problems

[maskedbishounen]

This is why Mozilla Update [mozilla.org] exists. A safe haven for users to find extentions that won't screw them over.

Supposedly.

If nothing else, at least it has a rating and feedback system, so you'll have a heads up from others.

Re:I got spyware from Firefox

[The Grey Clone]

Huh, that's funny. A quick search on Google says that ISTbar is an Internet Explorer toolbar, homepage, and search engine hijacker and will pop up porn advirtisements. I didn't see anything about Firefox, but, like I said, it was just a quick Google search. It doesn't make sense, why would someone deliver spyware that only effects IE through Firefox? Are you sure that you guys are the only one using your computer?

Re:I got spyware from Firefox

[Anonymous Coward]

From here [doxdesk.com]...

"ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc."

It was probably installed by an application that is using embedded IE (ie. an activex object). Why would someone target firefox only to install an IE only browser 'helper'

"Expert"?

[Kupek]

Their expert is the Vice President of Threat Research at Webroot [webroot.com]. That much is from the article. The article doesn't take the next logical step, however, and point out that Webroot is in the business of developing and selling software to prevent, detect and eleminate spyware. So it's certainly in this guy's interest for people to think that spyware is still a problem.

Their other expert is also from a company that makes similar software. So people who make anti-spyware software agree: you need anti-spyware software.

I'll be more concerned when independent parties think spyware in Firefox is an issue.

Re:I got spyware from Firefox

[Misch]

ISTbar's "infection vector" is ActiveX [simplythebest.net].

Probably didn't come through Firefox.

Re:I got spyware from Firefox

[Anonymous Coward]

I got hit with that one a while back at work. I managed to remove it and then watched it reinstall itself. It would appear on my computer within minutes of booting up. I don't remember what vulnerability in Windows it exploits, but running Firefox was 100% not required to get it. Until the sysadmin got me patched up, I stopped it from coming back by creating a read-only file with its name where it tried to install.

Re:I got spyware from Firefox

[Anonymous Coward]

Look here:

http://securityresponse.symantec.com/avcenter/venc /data/trojan.wimad.html [symantec.com]

or here:

http://securityresponse.symantec.com/avcenter/venc /data/adware.istbar.html [symantec.com]

for information about that spyware program. It's very likely that you contracted it in another way than some unknown exploit in FireFox. What email program are you using for example? Outlook Express maybe?

Re:Java spyware?

[bobintetley]

they'd have the same access as a regular desktop java-app?

No. Java Applets have always been sandboxed and run with a security manager that disallows reading/writing to the hard disk and connecting to any network domain but the one that the applet came from.

So yes, you could run it, but the applet can't actually see or do anything outside of itself.

Not Worried

[Alien Venom]

Firefox itself will become a target for spyware creators.

And that's why there's an option to "Allow websites to install software (extensions)." Just be sure you limit these sites to Mozilla-related sites (like mozilla.org and mozdev.org) and you will be fine.

I've actually had some borderline-illegal sites try to install Mozilla extensions (XPI's) as well, and the built-in protection scheme stopped it cold.

Just be thankful that there's no "code" to exploit (like the ActiveX component in IE) in Firefox.

Re:Duh.

[arkanes]

Administrator user is actually prevented from an easy login on most XP machines.

This is untrue.

So the user you log into a XP machine with is in the equivalent of a user in the root or wheel group IMO...

This is mostly untrue, because being in the Administrator group in Windows gives you exactly the same abilities as the Administrator user account, with no extra step needed to escalate your own privledges.

Re:Been here a while

[kbmccarty]

Example is here [cracks.am] (NSFW), try to download a file if you want to see what I mean.

All right, I'll bite.

Middle-click on link to open in new tab. Deny www.cracks.am from setting a cookie. Click the letter "C" in the alphabetical set of links. Click the link for "C++ Editor v1.0". Deny install.xxxtoolbar.com from setting a cookie. Click the "Download a File" button. Then two dialog windows appear. One is titled "JavaScript Application" and says "Download ABORTED -- You must click YES". Hitting "OK" (the only button on that window) lets me access the other window.

The other window is a standard Firefox download window saying "You have chosen to open C++_Editor_v1.0.zip which is a: ZIP file from: http://www.cracks.am/", etc. Clicking "OK" for the default choice, which is "Open with /usr/bin/file-roller", gives me a look inside a zip file filled with wholesome-looking files with names like iNFECTiON.nfo. Meanwhile the web page itself complains "Download Error - wrong URL! Please turn off any download managers" even though the ZIP file appears to have downloaded fine.

Using the packaged version of Mozilla Firefox on Debian GNU/Linux (unstable), version 1.0+dfsg.1-5. Also using Privoxy as a proxy; don't know whether this made a difference. Conclusion: at least on this platform, installing unsigned XPIs isn't going to work on a properly updated Firefox.

Re:I got spyware from Firefox

[bcmm]

Microsoft ActiveX for Netscape plugin is installed maybe?
(It works with Mozilla and Firefox too, but MS always likes to call them Netscape...)

Re:I doubt it ...

[digidave]

The FF auto-update doesn't need to download the whole app again, just the changes, which are generally XPIs or XUL code. Not huge.

Re:Duh.

[Anonymous Coward]

Yes, because we all know that there hasn't been a recent rash of privelege escalation [kerneltrap.org] bugs found in linux lately.

Re:Love Firefox, but can dump IE

[calyptos]

The sites that claim they require Internet Explorer for video, usually can work fine with other browsers but the web developer blocks those browsers. You can get a firefox extension to fake being IE to get into those sites and it will work, but I forget what the name is. The real solution would be a law that prohibits sites from intentionally not working on browsers which follow the standards.

Re:Malicious XPI's exist already

[wild_berry]

Interesting. That's another spin on the name. I had assumed that it indicated that Phoenix was the browser that emerged from the ashes of Netscape Navigator.

I've had Spybot S&D rate cookies accepted by Firefox as spyware; I haven't met any malicious XPI's just yet.

Re:"Expert"?

[Anonymous Coward]

What kind of source would be an "independent third party" that would be reliable?

How about this:

Computer Associates Director of Malicious Content Research Roger Thompson said although spyware for Firefox this year is possible, it is unlikely.

Re:Malicious XPI's exist already

[orasio]

Dillo is for you.
http://www.dillo.org/ [dillo.org]

It has all the features you need.
I need other features, and I use Firefox + extensions.

Re:"Expert"?

[Kupek]

Security experts in academia? I realize that some (a lot?) of them are more theoretical, but seems to be a good place to start. I know some research groups have been the ones to first report various security holes in software.

The difficulty with people in a VP position is there's no way of knowing if they have a technical background; I was part of a small startup company where our VP of engineering was also a primary developer, but it's not necessarily the case. My gut reaction is he's just presenting information that he thinks is in the best interest of the company - which, afterall, is his job.

Check out this Firefox-only exploit

[9thWave]

The Schmoo Group (http://www.shmoo.com/ [shmoo.com]) 0wned Firefox and basically everything except IE with International Domain Support. It might be a wise security move to turn this functionality off in your browsers until updated versions address the vulnerability, as phishing scams are expected to erupt utilizing this exploit shortly.

Details here: http://www.shmoo.com/idn/homograph.txt [shmoo.com]

Watch the exploit in action here: http://www.shmoo.com/idn/ [shmoo.com]

To patch this (in most browsers):

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo (above) again and notice it no longer works.

Re:Malicious XPI's exist already

[Haydn Fenton]

There's probably a multitude of reasons.

If you go to about:mozilla in any of the Firefox browsers (Netscape too - heck, even IE since it was based on netscape, but it just shows a blue screen), it will pull up a page from "The Book of Mozilla", most of them have references to a great bird rising from ashes, or something similar to that effect. If they were in Netscape then they clearly predate Firefox, however, I believe the names Phoenix and Firebird were probably based around them. Wikipedia's entry on The Book of Mozilla [wikipedia.org], no doubt it explains it on there, I'm too lazy\busy to read through it.

Re:IE and Firefox have different problems

[iabervon]

One significant difference is that Firefox (1.0) uses a non-modal section for this sort of thing, so the user is much more likely to completely ignore it. Additionally, the section appears in the same area that the browser offers to let you see pop-ups, so users will quickly be trained to ignore that section as being for getting ads. It won't stop users from getting spyware, but the users will actually have to pay attention to figure out how to get it, rather than being bombarded with offers for it and having to refuse them intentionally.

Re:Duh.

[rainman_bc]

I don't know what version of XP you've installed, but when I install it, I explicitly aren't allowed a blank password for Administrator during the install process. Anyone that's left a blank password on the Administrator account has done so explicitly.

Re:IE and Firefox have different problems

[secolactico]

This show be a bit more enforced. How about adding a "Are you Really Sure?" warning for installing XPIs that are NOT from Mozilla Update?

Isn't it already? In order to install an extension from somewhere other than mozdev, I have to add the site to a list of approved extensions sources.

The difference?

[jhylkema]

Security is a priority for Firefox. For M$, it isn't. The Firefox folks won't deliberately leave obvious unpatched security holes the way His Billness does.

Firefox is already vulnerable to spyware...

[WaterBreath]

At least on Windows, Firefox has Java enabled by default, and also the "allow web sites to install software" option. If you don't turn those off, you're be vulnerable to a lot of stuff. I have both off. When I need to install a Firefox update, extension, or theme, I just turn on "allow installs" to do it, then turn it back off. Same for making use of Java applets that I trust.

Re:Malicious XPI's exist already

[jwilcox154]

heck, even IE since it was based on Netscape, but it just shows a blue screen

Internet Exploder was not based upon Netscape, but it was based upon the Mosaic Web Browser.

Here's what it says in the "About Internet Explorer" dialog

Based on NCSA Mosaic. NCSA Mosaic(TM); was developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign.

They got the term for the Open source project Mozilla from Netscape's Original code name which is a contraction of Mosaic + Godzilla (i.e. Mosaic killer [webopedia.com]), and was coined by Jamie Zawinski (jwz) when Netscape's primary competition was Spyglass Mosaic.">

In other words, Mozilla/Netscape and Mosaic/Internet Explorer are not based on one another, they have nothing to do with one another except they're competing web browsers.

Re:Malicious XPI's exist already

[Anonymous Coward]

For your peace of mind, a succinct Google Answers treatise [google.com] on 2o7.net. Final conclusion: it's not malicious software; BBC (and many, many others) contracted with 2o7.net's owners for site traffic analysis.

Re:Malicious XPI's exist already

[Magic Thread]

2o7.net is a web analysis company, used explicitly by the BBC and other sites. See the replies on the freebsd-chat mailing list where the parent message was posted:

1 [freebsd.org] 2 [freebsd.org]

Re:Malicious XPI's exist already

[niittyniemi]

> You're an idiot

It grieves me to say this: but Mr.AC you're right!

I'm also a buffoon and a fool to boot.

Please feel welcome to mod my original post as: -5, Bonkers

Short answer: I failed to parse the BBC's privacy statement [bbc.co.uk] or do a whois on 2o7.net.

As other have mentioned, the BBC (or rather a 3rd party they've contracted) are tracking users and obviously a few other things aswell.

Any future reports from me of spyware on *nix are to be viewed with scepticism and should be modded accordingly.

Re:Malicious XPI's exist already

[say]

Actually, the project leader (Marc Andreesen) left NCSA, took with him Mosaic, and started Netscape.

Re:Malicious XPI's exist already

[Spetiam]

This may be of assistance to those wishing to block connections to adware sites: hosts [mvps.org].